[SECURITY] Explicitly deny object deserialization

Resolves: #85385 Releases: master, 8.7, 7.6 Security-Commit: f4d645d131fabc98cbbdcefcffb951040d2dd246 Security-Bulletin: TYPO3-CORE-SA-2018-002 Change-Id: Ia138f22856c7dd754e373803af799273868c622b Reviewed-on: https://review.typo3.org/57560 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jul 12, 2018 · b6a04a1 · b6a04a1
1 parent 421ef42
commit b6a04a1
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 3 deletions.
diff --git a/typo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php b/typo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php
@@ -64,6 +64,20 @@ public function __construct()
         }
     }
 
+    /**
+     * Denies deserialization.
+     */
+    public function __wakeup()
+    {
+        $this->opensslPath = null;
+        $this->temporaryDirectory = null;
+
+        throw new \RuntimeException(
+            __CLASS__ . ' cannot be unserialized',
+            1531336156
+        );
+    }
+
     /**
      * Creates a new key pair for the encryption or gets the existing key pair (if one already has been generated).
      *

diff --git a/typo3/sysext/rsaauth/Tests/Unit/Backend/CommandLineBackendTest.php b/typo3/sysext/rsaauth/Tests/Unit/Backend/CommandLineBackendTest.php
@@ -1,5 +1,6 @@
 <?php
 declare(strict_types = 1);
+
 namespace TYPO3\CMS\Rsaauth\Tests\Unit\Backend;
 
 /*
@@ -34,9 +35,6 @@ class CommandLineBackendTest extends UnitTestCase
      */
     protected function setUp()
     {
-        if (Environment::isWindows()) {
-            $this->markTestSkipped('This test is not available on Windows as auto-detection of openssl path will fail.');
-        }
         $GLOBALS['TYPO3_CONF_VARS']['EXTENSIONS']['rsaauth']['temporaryDirectory'] = '';
     }
 
@@ -45,6 +43,7 @@ protected function setUp()
      */
     public function createNewKeyPairCreatesReadyKeyPair()
     {
+        $this->skipIfWindows();
         $subject = new CommandLineBackend();
         $keyPair = $subject->createNewKeyPair();
         if ($keyPair === null) {
@@ -59,6 +58,7 @@ public function createNewKeyPairCreatesReadyKeyPair()
      */
     public function createNewKeyPairCreatesKeyPairWithDefaultExponent()
     {
+        $this->skipIfWindows();
         $subject = new CommandLineBackend();
         $keyPair = $subject->createNewKeyPair();
         if ($keyPair === null) {
@@ -76,10 +76,50 @@ public function createNewKeyPairCreatesKeyPairWithDefaultExponent()
      */
     public function createNewKeyPairCalledTwoTimesReturnsSameKeyPairInstance()
     {
+        $this->skipIfWindows();
         $subject = new CommandLineBackend();
         $this->assertSame(
             $subject->createNewKeyPair(),
             $subject->createNewKeyPair()
         );
     }
+
+    /**
+     * @test
+     */
+    public function doesNotAllowUnserialization(): void
+    {
+        $this->expectException(\RuntimeException::class);
+        $this->expectExceptionCode(1531336156);
+
+        $subject = new CommandLineBackend();
+        $serialized = serialize($subject);
+        unserialize($serialized);
+    }
+
+    /**
+     * @test
+     */
+    public function unsetsPathsOnUnserialization(): void
+    {
+        try {
+            $subject = $this->getAccessibleMock(CommandLineBackend::class);
+            $subject->_set('opensslPath', 'foo');
+            $subject->_set('temporaryDirectory', 'foo');
+            $serialized = serialize($subject);
+            unserialize($serialized);
+        } catch (\RuntimeException $e) {
+            $this->assertNull($subject->_get('opensslPath'));
+            $this->assertNull($subject->_get('temporaryDirectory'));
+        }
+    }
+
+    protected function skipIfWindows(): void
+    {
+        if (Environment::isWindows()) {
+            $this->markTestSkipped(
+                'This test is not available on Windows as auto-detection of openssl path will fail.'
+            );
+        }
+    }
 }